Skip to content

AnandSundar/hipaa-sentinel

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

image

Go Version AWS HIPAA Eligible HIPAA Security Rule License: MIT Build Status Pull Requests

Engineering Compliance. Not Afterthought.

Automated HIPAA Security Rule (§164.312) gap assessments for AWS environments — built by engineers, for engineers who care about security.


Table of Contents


What Is This? (Plain English)

Imagine you're responsible for a healthcare application that stores patient medical records in Amazon Web Services (AWS). You've heard about HIPAA — the law that protects patient health information — and you know your system needs to comply with it.

HIPAA Sentinel is a security tool that automatically checks whether your AWS setup follows HIPAA rules.

It runs a series of checks (we call them "controls") against your cloud infrastructure — things like:

  • Are your storage buckets encrypted? ✓
  • Is multi-factor authentication enabled for all admin accounts? ✓
  • Are audit logs turned on to track who accessed what? ✓
  • Are your databases protected from the public internet? ✓

After running, it gives you two reports:

  1. Gap Report (JSON) — For your technical team, showing exactly what failed and how to fix it
  2. Executive Summary (Markdown) — For leadership, showing your compliance score in plain English

You can run it manually, or automatically every time you deploy code to catch problems early.


Why I Built This

I built HIPAA Sentinel because I got tired of seeing the same pattern play out over and over in healthcare organizations.

Here's what usually happens: A startup lands their first healthcare client. They spin up AWS. They store patient data. Then someone asks, "Are we HIPAA compliant?" and the answer is usually "We think so."

Six months later, they're staring down a potential breach notification, a OCR audit letter, or worse — a ransomware attack that exploited a misconfigured S3 bucket. The CFO is asking why no one caught this earlier. The answer is always the same: we didn't have a way to continuously verify our controls.

Traditional compliance approaches fail for one reason: they're periodic, not continuous. You hire a consultant, they spend two weeks auditing your environment, they produce a PDF, and then that PDF sits in a drawer until next year's audit. In between? Nothing. Your environment changes daily. Your compliance posture shouldn't be a yearly snapshot.

I built HIPAA Sentinel because I believe:

  1. Compliance should be continuous, not point-in-time. If you can't verify your controls daily, you're flying blind.
  2. Engineers should own security, not abdicate it. Giving a CISO a PDF doesn't make your systems secure. Giving engineers automated checks does.
  3. Security tools should be run by the same people who deploy code. If your CI/CD pipeline can catch a missing semicolon, it should also catch a missing encryption key.

This tool isn't about replacing compliance professionals — it's about giving engineers the ammunition to demonstrate they're building secure systems from day one.


Problem vs. Solution

Aspect Manual Audit Approach HIPAA Sentinel Approach
Time to Assess 2–4 weeks per audit 30–60 seconds per run
Frequency Annual or semi-annual On-demand or per-deploy
Coverage Sampled controls All implemented controls
Cost $15,000–$50,000+ per audit Free (open source)
Accuracy Human error, subjective Automated, deterministic
Remediation Guidance Generic recommendations AWS-specific fix instructions
Integration None CI/CD pipelines, Slack, Jira
Reporting PDF that sits in a drawer JSON + Markdown, version-controlled

How It Works

HIPAA Sentinel operates in three phases:

flowchart TD
    A[Phase 1: Initialize] --> B[Phase 2: Execute Controls]
    B --> C[Phase 3: Generate Reports]
    
    A --> A1[Load config.yaml]
    A --> A2[Initialize AWS SDK]
    A --> A3[Validate credentials]
    
    B --> B1[Access Control Checks]
    B --> B2[Audit Logging Checks]
    B --> B3[Encryption Checks]
    B --> B4[Network Security Checks]
    
    C --> C1[Calculate Risk Scores]
    C --> C2[Generate gap-report.json]
    C --> C3[Generate executive-summary.md]
    
    style A fill:#1e3a5f,color:#fff
    style B fill:#1e3a5f,color:#fff
    style C fill:#1e3a5f,color:#fff
Loading
image

Directory Structure

hipaa-sentinel/
├── cmd/                           # CLI entry point
│   └── main.go                   # Command-line interface
├── config/                        # Configuration management
│   ├── config.go                 # Configuration loading and validation
│   └── mock.go                   # Mock configuration for testing
├── controls/                     # Control execution packages
│   ├── controls.go               # Core control execution logic
│   ├── accesscontrol/            # §164.312(a)(1) Access Control
│   │   ├── checker.go            # Control checker implementation
│   │   └── mock.go               # Mock AWS responses
│   ├── auditlogs/                # §164.312(b) Audit Controls
│   │   ├── checker.go            # Control checker implementation
│   │   └── mock.go               # Mock AWS responses
│   ├── encryption/               # §164.312(e)(2)(ii) Encryption
│   │   ├── checker.go            # Control checker implementation
│   │   └── mock.go               # Mock AWS responses
│   └── networksecurity/          # §164.312(e)(1) Network Security
│       ├── checker.go            # Control checker implementation
│       └── mock.go               # Mock AWS responses
├── reporters/                     # Report generation
│   ├── reporters.go              # Main reporter logic
│   ├── gapreport.go              # JSON gap report generator
│   └── executive.go              # Executive summary generator
├── reports/                       # Generated reports
│   ├── gap-report.json           # Detailed findings in JSON
│   └── executive-summary.md     # Executive summary in Markdown
├── config.yaml                   # Configuration file
├── go.mod                        # Go module dependencies
└── README.md                     # This file

HIPAA Controls Covered

Control ID §164.312 Reference What It Checks AWS Service
AC-1 §164.312(a)(1) MFA enabled for IAM users IAM
AC-2 §164.312(a)(1) IAM user permissions review IAM
AC-3 §164.312(a)(1) Password policy compliance IAM
AC-4 §164.312(a)(1) IAM role policies review IAM
AL-1 §164.312(b) CloudTrail enabled for all regions CloudTrail
AL-2 §164.312(b) CloudTrail multi-region logging CloudTrail
AL-3 §164.312(b) Log file validation enabled CloudTrail
AL-4 §164.312(b) CloudTrail KMS encryption CloudTrail
EN-1 §164.312(e)(2)(ii) S3 bucket encryption at rest S3
EN-2 §164.312(e)(2)(ii) S3 bucket versioning S3
EN-3 §164.312(e)(2)(ii) RDS encryption at rest RDS
EN-4 §164.312(e)(2)(ii) KMS key rotation KMS
NS-1 §164.312(e)(1) VPC configuration EC2/VPC
NS-2 §164.312(e)(1) Security group restrictions EC2
NS-3 §164.312(e)(1) RDS public access RDS
NS-4 §164.312(e)(1) S3 public access blocks S3

Risk Scoring Methodology

Each control category is weighted based on its impact to ePHI confidentiality, integrity, and availability:

pie
    title Category Weight Distribution
    "Access Control" : 30
    "Audit Logging" : 25
    "Encryption" : 25
    "Network Security" : 20
Loading

Scoring Formula (Plain English)

Category Score = (Passing Controls ÷ Total Controls) × 100 × Category Weight
Overall Score = Sum of All Category Scores ÷ Sum of All Weights

Severity Mapping:

Severity Criteria Action Required
🔴 Critical Direct ePHI exposure risk Immediate fix (0–24 hours)
🟠 High Significant control gap Fix within 30 days
🟡 Medium Moderate risk Fix within 90 days
🔵 Low Best practice deviation Address when convenient

image image

Tech Specs

Core Stack

Component Technology
Language Go 1.21+
AWS SDK AWS SDK for Go v2
Configuration YAML (no external dependencies)
Output Formats JSON, Markdown
Build Target Single static binary

System Requirements

Requirement Specification
OS Linux, macOS, Windows
Architecture amd64, arm64
Memory 256 MB minimum
Disk 50 MB
AWS Credentials Read-only access (or use --dry-run)

Performance Benchmarks

Metric Value
Execution Time 30–60 seconds (16 controls)
Cold Start ~2 seconds
Memory Usage ~50 MB
API Calls ~20–50 per run (varies by environment)

Security First

HIPAA Sentinel is designed with read-only, least-privilege principles. The tool never modifies your infrastructure — it only reads configuration to assess compliance.

Why This Matters

A security tool that modifies infrastructure is a liability. Here's why read-only is the right design:

  1. Trust boundary: You shouldn't need to trust a third-party tool with write access to your AWS environment
  2. Audit trail: Changes should go through your existing CI/CD and change management processes
  3. Accident prevention: A misconfigured tool could inadvertently expose data; read-only eliminates this risk
  4. Compliance: Many compliance frameworks require separation between assessment and enforcement

Required IAM Policy

Click to expand minimum required IAM policy
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "HIPAASentinelReadAccess",
      "Effect": "Allow",
      "Action": [
        "iam:GetUser",
        "iam:GetAccountPasswordPolicy",
        "iam:ListUsers",
        "iam:ListRoles",
        "iam:ListMFADevices",
        "cloudtrail:DescribeTrails",
        "cloudtrail:GetTrailStatus",
        "cloudtrail:LookupEvents",
        "s3:GetBucketEncryption",
        "s3:GetBucketVersioning",
        "s3:GetPublicAccessBlock",
        "s3:ListBuckets",
        "rds:DescribeDBInstances",
        "rds:DescribeDBClusters",
        "ec2:DescribeVpcs",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeInstances",
        "kms:ListKeys",
        "kms:GetKeyRotationStatus"
      ],
      "Resource": "*"
    }
  ]
}

Engineering Commentary: This policy follows the principle of least privilege — it grants only the permissions required to read configuration state. Notice there's no Create*, Update*, or Delete* actions. This signals engineering maturity: we've thought carefully about what permissions are actually needed, not just grabbed AdministratorAccess and called it a day. A CISO reviewing this policy can verify the tool poses no risk to their environment.


Quick Start

Option 1: Dry Run (No AWS Required)

Test the tool immediately without AWS credentials:

# Clone and build
git clone https://github.com/hipaa-sentinel/hipaa-sentinel.git
cd hipaa-sentinel
go build -o hipaa-sentinel ./cmd

# Run with mock data
./hipaa-sentinel --dry-run

Option 2: Live AWS Run

Run against your actual AWS environment:

# Configure your AWS credentials
aws configure

# Run the assessment
./hipaa-sentinel --config ./config.yaml

# Or with CLI flags
./hipaa-sentinel --region us-east-1 --output ./reports

Configuration File

# hipaa-sentinel/config.yaml

# AWS Configuration
aws:
  region: us-east-1
  profile: default

# Output Configuration
output:
  directory: ./reports
  format: json

# Control Categories (include or exclude)
controls:
  include:
    - accesscontrol
    - auditlogs
    - encryption
    - networksecurity

# Scoring Weights
weights:
  accesscontrol: 30
  auditlogs: 25
  encryption: 25
  networksecurity: 20

# Dry Run Mode (uses mock data)
dry_run: false

# Logging
logging:
  level: info
  verbose: false

Sample Output

Terminal Output

   _   __     __          __
  / | / /__  / /_  __  __/ /___ _
 /  |/ / _ \/ __ \/ / / / / __ `t`/
/ /|  /  __/ /_/ / /_/ / / /_/ /
/_/ |_/\___/_.___/\__,_/_/\__,_/

  S E N T I N E L
  AWS HIPAA Compliance Checker

 ==================================================

Starting HIPAA compliance assessment...

 ==================================================
            HIPAA COMPLIANCE ASSESSMENT SUMMARY
 ==================================================

 ⚠️ Overall Score: 56.3%

 ⚠️ Status: NON-COMPLIANT

 Control Results:
   ✓ Passed:    9
   ✗ Failed:    7
   ○ Skipped:   0
   ! Errors:    0

 Findings by Severity:
   🔴 Critical: 5
   🟠 High:     1
   🟡 Medium:   1
   🔵 Low:      0

 Category Scores:
   Access Control: 75.0%
   Audit Logs: 100.0%
   Encryption: 25.0%
   Network Security: 25.0%

 Reports saved to: ./reports
   - gap-report.json
   - executive-summary.md

Executive Summary Snippet

# HIPAA Compliance Executive Summary

**Assessment Date:** March 7, 2026

## Executive Overview

⚠️ **ACTION REQUIRED** - Your organization has security gaps that need attention

## Key Metrics

| Metric | Value |
|--------|-------|
| Overall Risk Score | 56% |
| Total Controls Checked | 16 |
| Controls Passing | 9 |
| Controls Needing Attention | 7 |
| Critical Issues | 5 |
| High Priority Issues | 1 |

## Recommended Next Steps

1. Address 5 critical security issues immediately to meet HIPAA requirements
2. Resolve 1 high-priority security gap within the next 30 days
3. Implement encryption for all data at rest and in transit
4. Review and restrict network access to prevent unauthorized data exposure
5. Strengthen access controls with multi-factor authentication for all users

CI/CD Integration

GitHub Actions Workflow

name: HIPAA Compliance Gate

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]

jobs:
  hipaa-compliance:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version: '1.21'

      - name: Build HIPAA Sentinel
        run: go build -o hipaa-sentinel ./cmd

      - name: Run HIPAA Compliance Check
        run: |
          ./hipaa-sentinel --dry-run --output ./reports

      - name: Upload Gap Report
        uses: actions/upload-artifact@v4
        with:
          name: hipaa-gap-report
          path: reports/gap-report.json

      - name: Upload Executive Summary
        uses: actions/upload-artifact@v4
        with:
          name: hipaa-executive-summary
          path: reports/executive-summary.md

      - name: Check for Critical Findings
        run: |
          CRITICAL=$(grep -c '"severity": "Critical"' reports/gap-report.json || true)
          if [ "$CRITICAL" -gt 0 ]; then
            echo "❌ HIPAA Sentinel blocked deployment: $CRITICAL critical findings"
            cat reports/executive-summary.md
            exit 1
          fi
          echo "✅ No critical HIPAA findings"

Blocking Strategy

Threshold Action Use Case
Critical Findings > 0 Block deployment Immediate HIPAA violation
High Findings > 0 Warn and require approval Significant security gap
Overall Score < 70% Block deployment Overall poor compliance posture

Roadmap

Version Feature Status Business Value
v1.0 Core 16 HIPAA controls ✅ Complete Automated compliance checking
v1.1 JSON report generation ✅ Complete Machine-readable output
v1.2 Executive summary report ✅ Complete Leadership-readable output
v1.3 Dry-run mode with mocks ✅ Complete Testing without AWS credentials
v1.4 Configurable scoring weights ✅ Complete Customizable risk prioritization
v1.5 CI/CD integration templates ✅ Complete Deployment pipeline integration
v1.6 Multi-region AWS support ✅ Complete Global AWS environment support
v1.7 Verbose logging mode ✅ Complete Debugging and troubleshooting
v2.0 Real-time Slack notifications 🟡 Planned Immediate compliance alerts
v2.0 Jira integration 🟡 Planned Automated ticket creation
v2.0 SOC 2 controls 🟡 Planned Expanded compliance coverage
v2.0 PDF report generation 🟡 Planned Formal audit documentation

About the Builder

Name David Gawk
Role Backend Engineer → GRC & Cloud Security
Location British Columbia, Canada (Remote-First)
Background Building production systems for 10+ years, now deliberately transitioning into Governance, Risk, and Compliance (GRC) with a security engineering focus
Philosophy I can implement a compliance control in Go AND explain it to a CISO in plain English

My Stack

Category Technologies
Languages Go, Python, TypeScript
Cloud AWS (primary), GCP, Azure
Infrastructure Terraform, CloudFormation, Kubernetes
Security AWS Security Hub, GuardDuty, Config Rules
Compliance HIPAA, SOC 2, PCI-DSS
Certifications In Progress AWS Security Specialty, Certified Information Security Manager (CISM)

I built HIPAA Sentinel because I believe engineers who build systems should be the same engineers who verify they're secure. Compliance isn't a checkbox — it's a continuous practice.


Disclaimer

HIPAA Sentinel is a tool, not legal advice.

This tool helps you assess technical controls against the HIPAA Security Rule, but it does not guarantee HIPAA compliance. HIPAA compliance involves administrative, physical, and technical safeguards, as well as business associate agreements, policies, procedures, and ongoing risk analysis.

Always consult with a qualified HIPAA compliance professional or legal counsel for official compliance assessments. The authors and contributors of this project accept no liability for decisions made based on this tool's output.


License

License: MIT

MIT License — See LICENSE for full text.


Footer

About

Automated HIPAA Security Rule (§164.312) gap assessments for AWS accounts

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors